Firmware update method in two-chip solution for secure terminal

ABSTRACT

A firmware update method in a two-chip solution for a secure terminal. The method comprises secure firmware update and application firmware update. The secure firmware update comprises: a secure processor erases a secure firmware storage area ( 201 ), decrypts a first ciphertext in firmware data to obtain a symmetric key ( 202 ), decrypts a second ciphertext in the firmware data with the symmetric key, and writes a decryption result to the secure firmware storage area ( 206 ). The application firmware update comprises: an application processor erases an application firmware storage area ( 301 ), acquires firmware data through the secure processor, decrypts a first ciphertext in the firmware data to obtain a symmetric key ( 302 ), decrypts a second ciphertext in the firmware data with the symmetric key, and writes a decryption result to the application firmware storage area ( 308 ). The method can effectively prevent firmware from being intercepted, copied, tampered, damaged or simulated during the update process of the firmware.

FIELD OF THE INVENTION

The present invention relates to a method for updating a firmware in a double-chip-schemed security terminal, which belongs to the information security field.

PRIOR ART

A firmware is a program which is written in EPROM, EEPROM or Flash chip, in other words, a firmware is a solidified software, which is program code solidified in an integrated circuit. The firmware is in charge of controlling and coordinating the integrated circuit. However, with the development of technology, it is a strong wish to modify a firmware to adapt for an updating firmware environment. At present, a firmware is usually updated by entering a bootloader program in a chip or a self-programmed bootloader program through an external interface.

In prior art, the firmware which is being updated is sent to a chip in a form of plaintext, and the chip can be accessed through an external interface. Thus, the firmware may be intercepted, copied, interpolated, damaged or simulated in the process of updating.

SUMMARY OF THE INVENTION

The object of the present invention is to provide a method for updating firmware in a double-chip-schemed security terminal to protect the firmware from being intercepted, copied, interpolated, damaged or simulated.

Thus, the present invention provides a method for updating firmware in a double-chip-schemed security terminal, wherein:

a security terminal checks firmware information which is cached in a firmware buffer, and determines a type of the firmware updated according the firmware information, security firmware is updated in the case that the firmware is a security firmware; application firmware is updated in the case that the firmware is an application firmware;

in which, the security terminal includes a security processor and an application processor,

updating a security firmware includes:

Step A1, erasing, by the security processor, a security firmware storage area, decrypting a first cipher in firmware data cached in the firmware buffer to obtain a symmetric key, initializing a firmware-read address and a firmware-updated destination address;

Step A2, reading, by the security processor, a preset length of data from the firmware-read address, decrypting read data according to the symmetric key to obtain decrypted data, writing the decrypted data in the firmware-updated destination address, updating the firmware-read address and the firmware-updated destination address; and

Step A3, determining, by the security processor, whether there exists unread data, if yes, returning to Step A2; otherwise, the process of updating security firmware is finished; and

updating an application firmware includes:

Step B1, erasing, by the application processor, an application firmware storage area, sending a reading-firmware-information instruction to the security processor, waiting for firmware information returned from the security processor;

Step B2, decrypting, by the security processor, the first cipher in the firmware data cached in the firmware buffer to obtain a symmetric key after the reading-firmware-information instruction is received by the security processor, initializing the firmware-read address, and returning the firmware information cached in the firmware buffer to the application processor;

Step B3, initializing, by the application processor, the firmware-updated destination address after the firmware information is received by the application process, and executing Step B4;

Step B4, sending, by the application processor, a reading-firmware-data instruction to the security processor, and waiting for the firmware data returned by the security processor;

Step B5, reading, by the security processor, a preset length of data from the firmware-read address after the reading-firmware-data instruction is received by the security processor, updating the firmware-read address, decrypting the read data according to the symmetric key to obtain decrypted data, and returning the decrypted data to the application processor; and

Step B6, writing, by the application processor, the decrypted data into the firmware-updated destination address after the decrypted data is received by the application processor, and updating the firmware-updated destination address; determining whether there exists unread data, if yes, returning to Step B4; otherwise, the process of updating application firmware is finished.

Preferably, the firmware information includes a firmware update flag;

determining a type of firmware which is to be updated according to the firmware information specifically includes: determining a type of the firmware update flag in the firmware information, the firmware which is to be updated is security firmware in the case that the firmware update flag is a security firmware update flag; the firmware which is to be updated is application firmware in the case that the firmware update flag is an application firmware update flag.

Preferably, before the preset length of data is read by the security processor from the firmware-read address, the process further includes: initializing a reading length;

Preferably, after the preset length of cipher is read by the security processor from the firmware-read address, the method further includes: updating the reading length;

determining whether there exists unread data specifically includes: determining, by the security processor, whether the reading length is a preset value, if yes, there isn't unread data; otherwise, there exists unread data;

initializing the reading length specifically is: initializing the reading length, so as to the initialized reading length equals a length of a second cipher in the firmware data which is cached in the firmware buffer;

updating the reading length specifically is: updating the reading length as a length obtained by subtracting a preset length from a current value of the reading length; and

the preset value specifically is 0.

Preferably, initializing the firmware-read address is: initializing the firmware-read address as an initial address of the second cipher in the firmware data which is cached in the firmware buffer;

updating the firmware-read address specifically is: updating the firmware-read address as an address obtained by adding the preset length of offset to the current address.

Preferably, initializing, by the security processor, the firmware-updated destination address is: the security process initializing the firmware-updated destination address as a preset address in the security firmware storage area;

updating, by the security processor, the firmware-updated destination address specifically is: the security processor updating the firmware-updated destination address as the address obtained by adding a preset length of offset to the current address.

Preferably, initializing, by the application processor, the firmware-updated destination address is: the application processor initializing the firmware-updated destination address as a preset address in the application firmware storage area;

updating, by the application processor, the firmware-updated destination address specifically is: the application processor updating the firmware-updated destination address as an address obtained by adding the preset length of offset to the current address.

Preferably, when the security processor determines that there is no unread data in Step A3, the step further includes: erasing the firmware buffer.

Preferably, when the application processor determines that there is no unread data in Step B6, the step further includes:

Step B7, sending, by the application processor, an instruction that reading firmware is finished to the security processor, waiting for an operation response returned from the security process;

Step B8, erasing, by the security processor, the firmware buffer after the instruction that reading firmware is finished is received by the security processor, and returning an operation response to the application processor;

updating the application firmware is finished after the operation response returned from the security processor is received by the application processor.

Preferably, before the security terminal checks the firmware information cached in the firmware buffer, the process further includes downloading firmware, which includes:

Step C1, sending, by an upper computer, an instruction for downloading to the security processor via the application processor;

Step C2, erasing, by the security processor, the firmware buffer after the instruction for downloading is received by the security processor, storing firmware information in the instruction for downloading into the firmware buffer, and returning a first operation response to the upper computer via the application processor;

Step C3, checking, by the upper computer, the first operation response after the first operation response is received by the upper computer, sub-packaging and sending the firmware via the application processor to the security processor in the case that the first operation response is that the operation is successful; prompting that the information has error in the case that the first operation response includes error information, and the process of downloading firmware terminating;

Step C4, writing, by the security processor, firmware data in firmware data packages into the firmware buffer after the firmware data packages is received by the security processor, and sending a second operation response to the upper computer via the application processor;

Step C5, checking, by the upper computer, the second operation response after the second operation response is received, sending an downloading-finished instruction to the security processor via the application processor in the case that the second operation response is that the operation is successful; prompting that the information has error in the case that the second operation response includes error information, the process of downloading firmware terminating;

Step C6, determining, by the security processor, whether a firmware data package is included in the downloading-finished instruction after the downloading-finished instruction is received by the security processor, if yes, writing the firmware data in the firmware data package into the firmware buffer, and executing Step C7; otherwise, executing Step C7 directly;

Step C7, determining, by the security processor, whether the firmware information cached in the firmware buffer is legitimate, if yes, executing Step C8; otherwise, executing Step C10;

Step C8, determining, by the security processor, whether the firmware data cached in the firmware buffer is legitimate according to the firmware information cached in the firmware buffer, if yes, executing Step C9; otherwise, executing Step C10;

Step C9, decrypting, by the security processor, a first cipher in the firmware data cached in firmware buffer to obtain a decrypted result, obtaining a hash value of a second cipher in the decrypted result; performing hash calculation on cipher in the firmware data cached in the firmware buffer to obtain a hash value of the second cipher, determining whether the hash value of the second cipher obtained from the decrypted result is same as the hash value of the second cipher obtained from the hash calculation, if the hash values are different from each other, erasing the firmware buffer and executing Step C10; if the hash values are same, executing Step C10 directly;

Step C10, returning, by the security processor, a third operation response to the upper computer via the application processor; and

Step C11, checking, by the upper computer, the third operation response after the third operation response is received by the upper computer, the firmware is downloaded successfully in the case that the third operation response is that the operation is successful; prompting that the information includes error in the case that the third operation response includes error information, the firmware is unsuccessfully downloaded; or,

downloading firmware includes:

Step D1, sending, by the application processor, a request-for-updating-firmware instruction to a server, waiting for the instruction for downloading sent by the server;

Step D2, sending, by the server, a corresponding instruction for downloading, via the application processor, to the security processor according to information of firmware type in the request-for-updating-firmware instruction after the request-for-updating-firmware instruction is received by the server;

Step D3, erasing, by the security processor, the firmware buffer after the instruction for downloading is received by the security processor, storing firmware information in the instruction for downloading into the firmware buffer, and returning the first operation response to the server via the application processor;

Step D4, checking, by the server, the first operation response after the first operation response is received by the server, sub-packaging the firmware and sending a sub-packaged firmware to the security processor via the application processor in the case that the first operation response is that the operation is successful; prompting that the information has error in the case that the first operation response has error information, and the process of downloading firmware terminating;

Step D5, writing, by the security processor, firmware data in firmware data packages into the firmware buffer after the firmware data packages are received, returning a second operation response to the server via the application processor;

Step D6, checking, by the server, the second operation response after the second operation response is received by the server, sending a downloading-finished instruction to the security processor via the application processor in the case that the second operation response is that the operation is successful; prompting that the information has error in the case that the second operation response includes error information, and the process of downloading firmware terminating;

Step D7, determining, by the security processor, whether a firmware data package is included in the downloading-finished instruction after the downloading-finished instruction is received by the security processor, if yes, writing the firmware data in the firmware data package into the firmware buffer, and executing Step D8; otherwise, executing Step D8 directly;

Step D8, determining, by the security processor, whether the firmware information cached in the firmware buffer is legitimate, if yes, executing Step D9; if no, executing Step D11;

Step D9, determining, by the security processor, whether the firmware data cached in the firmware buffer is legitimate according to the firmware information cached in the firmware buffer, if yes, executing Step S10; if no, executing Step D11;

Step D10, decrypting, by the security processor, a first cipher in the firmware data cached in the firmware buffer to obtain a decrypted result, obtaining a hash value of a second cipher from the decrypted result, performing a hash calculation on a second cipher in the firmware data cached in the firmware buffer to obtain a hash value of the second cipher, determining whether the hash value of the second cipher obtained from the decrypted result is same as the hash value of the second cipher obtained via the hash calculation, erasing the firmware buffer and executing Step D11 if the hash values are different from each other; executing Step D11 directly if the hash values are just the same as each other;

Step D11, returning, by the security processor, a third operation response to the server via the application processor; and

Step D12, checking, by the server, a third operation response after the third operation response is received by the server, downloading firmware is successful in the case that the third operation response is that the operation is successful; prompting that the information has error in the case that the third operation response has error information, and downloading firmware has failed.

Preferably, the firmware information includes fixed data;

determining, by the security processor, whether firmware information cached in the firmware buffer is legitimate specifically includes: determining, by the security processor, the fixed data in the firmware information cached in the firmware buffer is preset data, if yes, the firmware information cached in the firmware buffer is legitimate; otherwise, the firmware information cached in the firmware buffer is illegitimate;

Preferably, the firmware information includes a length of firmware data;

determining, by the security processor, whether the firmware data cached in the firmware buffer is legitimate according to the firmware information cached in the firmware buffer specifically includes: determining, by the security processor, whether the length of firmware data in the firmware information cached in the firmware buffer is same as the length of firmware data cached in the firmware buffer, if yes, the firmware data cached in the firmware buffer is legitimate; otherwise, the firmware data cached in the firmware buffer is not legitimate.

Preferably, after the security processor erases the security firmware storage area, the process further includes: copying the firmware information cached in the firmware buffer into the security firmware storage area;

after the application processor erases the application firmware storage area, the process further includes: copying the firmware information cached in the firmware buffer into the application firmware storage area.

Preferably, before Step D1, the process further includes:

Step E1, sending, by the application processor, a reading-firmware-version-information instruction to the security processor, and waiting for version information of firmware returned from the security processor;

Step E2, obtaining, by the security processor, version information of security firmware from the security firmware information stored in the security firmware storage area after the reading-firmware-version-information instruction is received by the security processor, obtaining version information of application firmware from the application firmware information stored in the application firmware storage area, and then returning the version information of security firmware and the version information of application firmware to the application processor;

Step E3, sending, by the application processor, an reading-latest-firmware-version-information instruction to the server after the version information of security firmware and the version information of application firmware are received by the application processor, waiting for information of the latest firmware version returned by the server;

Step E4, sending, by the server, information of the latest security firmware version and information of the latest application firmware version to the application processor after the reading-latest-firmware-version-information instruction is received by the server; and

Step E5, comparing, by the application processor, the information of the latest security firmware version and the information of the latest application firmware version sent by the server with the version information of security firmware and the version information of application firmware returned from the security processor respectively, determining whether the firmware need to be updated, if yes, executing Step D1; otherwise, downloading of firmware terminating;

Preferably, sending, by the server, a corresponding instruction for downloading to the security processor via the application processor according to the information of firmware type in the request-for-updating-firmware instruction includes:

sending, by the server, the instruction for downloading which includes firmware information of a security firmware update flag and the version information of security firmware to the security processor via the application processor in the case that the firmware is the security firmware;

sending, by the server, the instruction for downloading which includes firmware information of an application firmware update flag and the version information of application firmware to the security processor via the application processor in the case that the firmware is the application firmware.

According to the present invention, a security terminal has an application processor and a security processor which has not an interface connecting to outside; thus, the security processor cannot be invited directly, a firmware can be downloaded in the security processor only via the application processor, and the security processor takes part both in a process of updating a security firmware and a process of updating an application firmware, in this way, the firmware is protected from being intercepted, copied, interpolated, damaged or simulated in the process of updating.

BRIEF DESCRIPTION OF THE ACCOMPANYING DRAWINGS

The embodiments of the present invention or technical solutions in prior art are further described more clearly and completely with the drawings in the embodiments of the present invention. Obviously, the embodiments herein are just a few embodiments of the present invention, and when it comes to those skilled in the art, other drawings can be obtained by them without any inventive work.

FIG. 1 illustrates a flow diagram of downloading firmware in a method for updating firmware in a double-chip-schemed security terminal according to Embodiment 1 of the present invention;

FIG. 2 illustrates a flow diagram of updating security firmware in the method for updating firmware in a double-chip-schemed security terminal according to Embodiment 1 of the present invention;

FIG. 3 illustrates a flow diagram of updating application firmware in the method for updating firmware in a double-chip-schemed security terminal according to Embodiment 1 of the present invention;

FIG. 4 and FIG. 5 illustrate a flow diagram of downloading firmware in a method for updating firmware in a double-chip-schemed security terminal according to Embodiment 2 of the present invention;

FIG. 6 illustrates a flow diagram of updating security firmware in the method for updating firmware in a double-chip-schemed security terminal according to Embodiment 2 of the present invention;

FIG. 7 illustrates a flow diagram of updating application firmware in the method for updating firmware in a double-chip-schemed security terminal according to Embodiment 2 of the present invention.

DETAILED DESCRIPTION OF THE INVENTION

The technical solution in the Embodiments of the present invention is further described more clearly and completely with the drawings in the Embodiments of the present invention. Apparently, Embodiments described herein are just a few Embodiments of the present invention. On the basis of Embodiments of the invention, all other related Embodiments made by those skilled in the art without any inventive work belong to the scope of the invention.

An application processor and a security processor are set in a security terminal in the present invention, and the security processor does not have interface for outside, Embodiment 1 provides a method for updating locally, and Embodiment 2 provides a method for updating remotely.

Embodiment 1

The present invention provides a method for updating firmware in a double-chip-schemed security terminal, the method includes a process of downloading firmware and a process of updating firmware, in which, the process of downloading firmware applies for downloading of application firmware and downloading of security firmware; the process of updating firmware includes updating of application firmware and updating of security firmware.

As shown in FIG. 1, the process of downloading firmware specifically includes:

Step 101, an upper computer sends an instruction for downloading to an application processor;

in the present Embodiment 1, the upper computer sends the instruction for downloading including firmware information to the application processor, in which, the firmware information includes: fixed data, length of firmware data and a firmware update flag, the firmware update flag specifically includes an application firmware update flag and a security firmware update flag;

Step 102, the application processor sends the instruction for downloading to the security processor after the instruction for downloading is received by the application processor;

Step 103, the security processor erases a firmware buffer after the instruction for downloading is received by the security processor, and stores firmware information in the instruction for downloading into the firmware buffer;

Step 104, the security processor returns a first operation response to the application processor;

in Embodiment 1, the first operation response that the operation is successful is returned to the application processor in the case that the firmware buffer is successfully erased and the firmware information is successfully saved into the firmware buffer by the security processor; otherwise, the first operation response including error information is returned to the application processor;

Step 105, the application processor returns the first operation response to the upper computer after the first operation response is received by the application processor;

Step 106, the upper computer checks the first operation response after the first operation response is received, execute Step 107 in the case that the first operation response is that the operation is successful; prompt that information has error in the case that the first operation response includes error information, the process of downloading firmware terminates;

Step 107, the upper computer sub-packages the firmware and the sub-packaged firmware is downloaded into the application processor;

in Embodiment 1, the firmware is sub-packaged to obtain a firmware data package, the firmware data package includes the firmware data, a destination address and the length of firmware data, in which, the firmware data is composed by a first cipher and a second cipher; the first cipher is obtained by using a preset private key to encrypt a symmetric key and a hash value of the second cipher, and the second cipher is obtained by using a symmetric key to encrypt a firmware plaintext and a hash value of the firmware plaintext;

Step 108, the application processor sends the firmware data package to the security processor after the firmware data package is received by the application processor;

Step 109, the security processor writes firmware data in the firmware data package into the firmware buffer according a destination address and a length of firmware data in the firmware data package after the firmware data is received by the security processor;

Step 110, the security processor returns a second operation response to the application processor;

in the present Embodiment 1, the security processor returns the second operation response that the operation is successful to the application processor when the security processor writes the firmware data in the firmware data package into the firmware buffer successfully, otherwise, the security processor returns the second operation response which includes error information to the application processor;

Step 111, the application processor returns the second operation response to the upper computer after the second operation response is received by the application processor;

Step 112, the upper computer checks the second operation response after the second operation response is received by the upper computer, execute Step 113 in the case that the second operation response is that the operation is successful; while prompt that the information is error in the case that the second operation response includes error information, and the process of downloading firmware comes to an end;

Step 113, the upper computer sends a downloading-finished instruction to the application processor;

Step 114, the application processor sends the downloading-finished instruction to the security processor after the instruction is received by the application processor;

Step 115, the security processor determines whether the downloading-finished instruction includes a firmware data package after the downloading-finished instruction is received, if yes, execute Step 116; otherwise, execute Step 117;

Step 116, the security processor writes the firmware data in the firmware data package into the firmware buffer according to the destination address and the length of firmware data in the firmware data package, and executes Step 117;

Step 117, the security processor reads firmware information cached in the firmware buffer, and determines whether the firmware information is legitimate, if yes, execute Step 118; otherwise, execute Step 121;

in the present Embodiment 1, the security processor determines whether the firmware information is legitimate by determining whether fixed data in the firmware information is preset data, the firmware information is legitimate in the case that the fixed data in the firmware information is the preset data; the firmware information is illegitimate in the case that the fixed data in the firmware information is not the preset data;

preferably, in Embodiment 1, the preset data is 46 54 43 58;

Step 118, the security processor determines whether the fixed data which is downloaded is legitimate according to the firmware information, if yes, execute Step 119; otherwise, execute Step 121;

in the present Embodiment 1, the firmware data which is downloaded is the firmware data cached in the firmware buffer, the security processor determines whether the firmware data downloaded is legitimate by determining whether the length of firmware data in the firmware information is same as the length of firmware data cached in the firmware buffer, the firmware data downloaded is legitimate in the case that the length of firmware data in the firmware information is same as the length of firmware data cached in the firmware buffer; the firmware data is illegitimate in the case that the length of firmware data in the firmware information is different from the length of firmware data cached in the firmware buffer;

Step 119, the security processor decrypts the first cipher in the firmware data according to a preset public key to obtain a decrypted result, obtains a hash value of the second cipher in the decrypted result, performs a hash calculation on the second cipher in the firmware data to obtain a hash value of the second cipher;

Step 120, the security processor determines whether the hash value of the second cipher in the decrypted result is same as the hash value of the second cipher obtained by calculating, if yes, execute Step 122; otherwise, execute Step 121;

Step 121, the security processor erases the firmware buffer, and executes Step 122;

Step 122, the security processor returns a third operation response to the application processor;

in the present Embodiment 1, the security processor returns the third operation response that the operation is successful to the application processor in the case that the security processor determines that the firmware data in the firmware buffer is correct; otherwise, the security processor returns the third operation response which includes error information;

Step 123, the application processor returns the third operation response to the upper computer after the third operation response is received by the application processor;

Step 124, the upper computer checks the third operation response after the third operation response is received, the process of downloading firmware is finished in the case that the third operation response is the operation is successful; while prompt the information is error in the case that the third operation response includes error information, and the process of downloading firmware comes to an end;

in the present Embodiment 1, the security terminal restarts after the process of downloading firmware comes to an end, subsequently, the security processor determines a firmware update flag in the firmware information cached in the firmware buffer, if the firmware update flag is a security firmware update flag, the security firmware is updated; if the firmware update flag is an application firmware update flag, waits for an instruction for reading update state of the application firmware read by the application processor, returns a response that the application firmware needs to be updated to the application processor, and then the application firmware is updated.

As shown in FIG. 2, the process of updating the security firmware specifically includes:

Step 201, the security processor erases the firmware storage area;

Step 202, the security processor decrypts the first cipher in the firmware data cached in the firmware buffer according to the preset public key to obtain a decrypted result, obtains a symmetric key from the decrypted result;

Step 203, the security processor initializes a reading-firmware address as an initial address of the second cipher in the firmware data cached in the firmware buffer, initializes a reading length as the length of second cipher in the firmware data cached in the firmware buffer, and initializes a updating-firmware destination address as a preset address in the security firmware storage area;

in the present Embodiment 1, the preset address in the security firmware storage area may be any address behind firmware information stored in the security firmware storage area;

preferably, in Step 203, the updating-firmware destination address is initialized as an address, offset of which equals the length of the firmware information stored in the security firmware storage area;

Step 204, the security processor reads data of a preset length from the firmware-read address;

Step 205, the security processor decrypts the read data according to the obtained symmetric key;

Step 206, the security processor writes the data obtained by decrypting into the firmware-updated destination address;

Step 207, the security processor updates the firmware-read address as an address obtained by the current firmware-read address plus an offset of a preset length, updates the reading length as a length obtained by the current reading length minus a preset length, and updates the firmware-updated destination address as an address obtained by the current firmware-updated destination address plus an offset of preset length;

Step 208, the security processor determines whether there exists unread data according to the reading length, if yes, return to Step 204; otherwise, execute Step 209;

in the present Embodiment 1, the security processor determines whether there exists unread data by determining whether the reading length is larger than 0, there exists unread data if the reading length is larger than 0; there is not unread data if the reading length is not larger than 0;

Step 209, the security processor erases the firmware buffer, the process of updating security firmware is finished.

As shown in FIG. 3, the process of updating application firmware specifically includes:

Step 301, the application processor erases the application firmware storage area, sends a reading-firmware-information instruction, and then waits for firmware information returned by the security processor;

Step 302, the security processor decrypts the first cipher in the firmware data cached in the firmware buffer according to the preset public key after the reading-firmware-information instruction is received to obtain a decrypted result, obtains a symmetric key from the decrypted result, and initializes the firmware-read address as an initial address of the second cipher in the firmware data cached in the firmware buffer;

Step 303, the security processor returns the firmware information cached in the firmware buffer to the application processor;

Step 304, the application processor initializes the firmware-updated destination address as a preset address in the application firmware storage area after the firmware information is received by the application processor, obtains the length of firmware data in the firmware information, calculates the length of the second cipher in the firmware data according to the length of firmware data, and initializes the reading length as the length of second cipher in the firmware data;

specifically, calculating the length of the second cipher in the firmware data according to the length of firmware data includes: obtain a difference of the length of firmware and the length of the first cipher in the firmware data to obtain the length of the second cipher in the firmware data, in which, the length of the first length equals the length of the preset public key;

preferably, in Embodiment 1, the length of the preset public key is 256 bytes;

Step 305, the application processor sends a reading-firmware-data instruction to the security processor, and waits for firmware data returned from the security processor;

Step 306, the security processor reads data of preset length from the firmware-read address after the reading-firmware-data instruction is received by the security processor, updates the firmware-read address as an address which is obtained by the current firmware-read address plus an offset of preset length, and decrypts the read data by using the obtained symmetric key;

Step 307, the security processor returns data obtained by decrypting to the application processor;

Step 308, the application processor writes received data into the firmware-updated destination address after the data obtained by decrypting is received by the application processor, updates the reading length as the length obtained by the current reading length minus the preset length, and updates the firmware-updated destination address as an address obtained by the current address plus an offset of preset length;

Step 309, the application processor determines whether there exists unread data according to the reading length, if yes, return to Step 305; otherwise, execute Step 310;

in Embodiment 1, the application processor determines whether there exists unread data by determining whether the reading length is larger than 0, there exists unread data if the reading length is larger than 0; there is not unread data if the reading length is not larger than 0;

Step 310, the application processor sends an instruction that reading firmware is finished to the security processor, and waits for an operation response returned from the security processor;

Step 311, the security processor erases the firmware buffer after the instruction that reading firmware is finished is received by the security processor;

Step 312, the security processor returns the operation response to the application processor;

Step 313, the process of updating application firmware is finished after the operation response returned from the security processor is received by the application processor.

Furthermore, in Embodiment 1, after the instruction is received by the security processor, the process further includes: whether format and content of the instruction is correct is checked, whether the instruction and a message authentication code in an authentication instruction are supported is determined, error code is returned to the application processor in the case that the format or content is not correct, the instruction is not supported and the message authentication code fails; for instance, 6D00 is returned to the application processor if the instruction is not supported.

In the method for updating the firmware provided by the present invention, the security terminal includes an application processor and a security processor, and the upper computer accesses the security processor only via the application processor, and the firmware which is to be updated is downloaded in the security process via the application processor in a form of cipher, the security of firmware is improved in the process of updating firmware because the security processor takes part in the process of updating application firmware or security firmware, thus, firmware is protect from being intercepted, copied, interpolated or damaged.

Embodiment 2

Embodiment 2 of the present invention provides a method for updating firmware in a double-chip-schemed security terminal, the method includes a process of downloading firmware and a process of updating firmware, in which the process of downloading firmware applies for downloading application firmware and downloading security firmware; the process of updating firmware includes updating application firmware and updating security firmware.

As shown in FIG. 4 and FIG. 5, the process of downloading firmware specifically includes:

Step 401, the application processor sends a reading-firmware-version-information instruction to the security processor;

Step 402, the security processor reads security firmware information from a security firmware storage area and reads application firmware information from an application firmware storage area respectively after the reading-firmware-version-information instruction is received by the security processor;

Step 403, the security processor obtains version information of security firmware from the security firmware information, and obtains version information of application firmware from the application firmware information;

Step 404, the security processor returns the version information of security firmware and the version information of application firmware to the application processor;

Step 405, the application processor receives and saves the version information of security firmware and the version information of application firmware returned from the security processor;

Step 406, the application process sends a reading-latest-firmware-version-information instruction to a server;

Step 407, the server sends the information of the latest security firmware version and the information of the latest application firmware version to the application processor after the reading-latest-version-information instruction is received by the server;

Step 408, the application processor compares the information of the latest security firmware version and the information of the latest application firmware version with the version information of security firmware and the version information of application firmware which are returned from the security processor respectively after the information of the latest application firmware version and the version information of security firmware are received by the application processor, determines whether the firmware need to be updated, if yes, execute Step 409; otherwise, the process of downloading firmware comes to an end;

in Embodiment 2, the application processor determines whether the information of the latest security firmware version is the same as the version information of security firmware returned from the security processor and whether the information of the latest application firmware version is the same as the version information of application firmware returned by the security processor respectively, if yes, the firmware need not to be updated; otherwise, the firmware need to be updated;

Step 409, the application processor sends a request-for-updating-firmware instruction to the server, and wait for an instruction for downloading sent by the server;

in the present Embodiment 2, the application processor sends a firmware-updated instruction which includes information of firmware type to the server, in which, the information of firmware type is security firmware or application firmware;

in the present Embodiment 2, when both the security firmware and the application firmware need to be updated, the application processor firstly requests the server for updating firmware, priority of which is higher, according to a preset priority; for example, the priority of security firmware is preset to be higher than the priority of application firmware, when that both the security firmware and the application firmware need to be updated is determined in Step 408, the application processor requests the server for updating the security firmware firstly;

Step 410, the server sends a corresponding instruction for downloading to the application processor according to the information of firmware type in the request-for-updating-firmware instruction after the request-for-updating-firmware instruction is received by the server;

in the present Embodiment 2, the server sends the downloading instruction including the firmware information to the application processor, in which, the firmware information includes fixed data, a length of firmware data, a firmware-updated flag and information of firmware version, in which, the firmware-updated flag specifically includes an application-firmware-updated flag and a security-firmware-updated flag, and the information of firmware version specifically includes information of security firmware version and information of application firmware version;

specifically, the server sends the downloading instruction which includes the firmware information including security-firmware-updated flag and information of security firmware version to the application processor in the case that the information of firmware type in the request-for-updating-firmware instruction is security firmware; the server sends the downloading instruction which includes the firmware information including an application-firmware-updated flag and the information of application firmware version to the application processor in the case that the information of firmware type in the request-for-updating-firmware instruction is the application firmware;

Step 411, the application processor sends the downloading instruction to the security processor after the instruction for downloading is received by the application processor;

Step 412, the security processor erases the firmware buffer after the instruction for downloading is received by the security processor, and stores the firmware information in the instruction for downloading into the firmware buffer;

Step 413, the security processor returns a first operation response to the application processor;

in the present Embodiment 2, the security processor returns the first operation response that the operation is successful to the application processor when the firmware buffer is erased and the firmware information is stored into the firmware buffer successfully by the application processor.

Step 414, the application processor returns the first operation response to the server after the first operation response is received by the application processor;

Step 415, the server checks the first operation response after the response is received by the server, execute Step 416 in the case that the operation is successful; prompt the information has error in the case that the first operation response includes error information, and the process of downloading firmware comes to an end;

Step 416, the server sub-packages and downloads the firmware into the application processor;

in the present Embodiment 2, the firmware is sub-packaged to obtain a firmware data package which further includes a destination address and a length of firmware data except for firmware data, in which, the firmware data is composed by the first cipher and the second cipher, the first cipher is obtained by using a preset private key to encrypt a symmetric key and a hash value of the second cipher, the second cipher is obtained by using the symmetric key to encrypt firmware plaintext and a hash value of firmware plaintext;

Step 417, the application processor sends the firmware data package to the security processor after the firmware data package is received by the application processor;

Step 418, the security processor writes firmware data in the firmware data package into the firmware buffer according the destination address and the length of firmware data in the firmware data package after the firmware data is received by the security processor;

Step 419, the security processor returns a second operation response to the application processor;

in the present Embodiment 2, the security processor returns the second operation response that the operation is successful to the application processor in the case that the security processor writes the firmware data in the firmware data package into the firmware buffer successfully; otherwise, the security processor returns the second operation response including error information to the application processor.

Step 420, the application processor returns the second operation response to the server after the second operation response is received by the application processor;

Step 421, the server checks the second operation response after it receives the second operation response, execute Step 422 in the case that the second operation response is that the operation is successful; prompt that the information includes error in the case that the second operation response includes error, and the process of downloading firmware come to an end;

Step 422, the server sends an downloading-finished instruction to the application processor;

Step 423, the application processor sends the downloading-finished instruction to the security processor after the downloading-finished instruction is received by the application processor;

Step 424, the security processor determines whether the downloading-finished instruction includes the firmware data package after the instruction is received by the security processor, if yes, execute Step 425; otherwise, execute Step 426;

Step 425, the security processor writes the firmware data in the firmware data package into the firmware buffer according to the destination address and the length of firmware data in the firmware data package, and execute Step 426;

Step 426, the security processor reads the firmware information cached in the firmware buffer, and determines whether the firmware information is legitimate, if yes, execute Step 427; otherwise, execute Step 430;

in the present Embodiment 2, the security processor determines whether the firmware information is legitimate by determining whether the firmware data in the firmware information is preset data, the firmware information is legitimate in the case that the firmware data in the firmware information is the preset data; the firmware information is illegitimate in the case that the firmware data in the firmware information is not the preset data;

preferably, in Embodiment 2, the preset data is 46 54 43 58;

Step 427, the security processor determines whether downloaded firmware data is legitimate according to the firmware information, if yes, execute Step 428; otherwise, execute Step 430;

in the present Embodiment 2, the downloaded firmware data is the firmware data cached in the firmware buffer, the security processor determines whether the downloaded firmware data is legitimate by determining whether the length of firmware data in the firmware information is the same as the length of firmware data cached in the firmware buffer, the firmware data is legitimate if the length of firmware data in the firmware information is same as the length of firmware data cached in the firmware buffer; otherwise, the firmware data is not legitimate;

Step 428, the security processor decrypts the first cipher in the firmware data according to the preset public key to obtain a decrypted result, obtains a hash value of the second cipher from the decrypted result, performs hash calculation on the second cipher in the firmware data to obtain a hash value of the second cipher;

Step 429, the security processor determines whether the hash value of the second cipher in the decrypted result is same as the hash value of the second cipher obtained by calculating, if yes, execute Step 431; otherwise, execute Step 430;

Step 430, the security processor erases the firmware buffer, and Step 431 is executed; Step 431, the security processor returns a third operation response to the application processor;

in Embodiment 2, the security processor returns a third operation response that the operation is successful in the case that the firmware data in the firmware buffer is correct; otherwise, the security processor returns a third operation response including error information to the application processor;

Step 432, the application processor returns the third operation response to the server after the third operation response is received by the application processor;

Step 433, the server checks the third operation response after the third operation response is received by the server, the process of downloading firmware is finished if the third operation response is the operation is successful; prompt the information includes error if the third operation response includes error, and the process of downloading come to an end.

In Embodiment 2, after the firmware is downloaded, the security terminal is restarted, subsequently, the security processor checks the firmware-updated flag in the firmware information cached in the firmware buffer, the security firmware is updated if the flag is a security-firmware-updated flag; a reading-application-firmware-update-state instruction sent by the application processor is waited for, and the application firmware is updated after the application processor returns a response that the application firmware need to be updated if the flag is an application-firmware-updated flag.

As shown in FIG. 6, the process of updating the security firmware specifically includes:

Step 501, the application processor erases the security firmware storage area;

Step 502, the security processor copies the firmware information in the firmware buffer into the security firmware storage area;

Step 503, the security processor decrypts the first cipher in the firmware data cached in the firmware buffer according to the preset public key to obtain a decrypted result, and obtains a symmetric key from the decrypted result;

Step 504, the security processor initializes a firmware-read address as an initial address of the second cipher in the firmware data cached in the firmware buffer, initializes a reading length as the length of the second cipher in the firmware data cached in the firmware buffer, and initializes a firmware-updated destination address as a preset address in the security firmware storage area;

in the present Embodiment 2, the preset address in the security firmware storage area may be any address behind the firmware information stored in the security firmware storage area;

preferably, in Step 504, initializing the firmware-updated destination address as an address, an offset of which equals the length of the firmware information stored in the security firmware storage area;

Step 505, the security processor reads a preset length of data from the firmware-read address;

Step 506, the security processor decrypts the read data according to the obtained symmetric key;

Step 507, the security processor writes data obtained by decrypting into the firmware-updated destination address;

Step 508, the security processor updates the firmware-read address as an address which is obtained by adding a preset length of offset to the current firmware-read address, updates reading length as a length which is obtained by subtracting a preset length from the current reading length; updates the firmware-updated destination address as an address obtained by adding a preset length of offset to the current firmware-updated destination address;

Step 509, the security processor determines whether there exists unread data according to the reading length, if yes, return to Step 505; otherwise, execute Step 510;

in Embodiment 2, the security processor determines whether there exists unread data by determining whether the reading length is longer than 0, there exists unread data if the reading length is longer than 0; there is not unread data if the reading length is not longer than 0;

Step 510, the security processor erases the firmware buffer, the process of updating the security firmware is finished.

As shown in FIG. 7, the process of updating the application firmware specifically includes:

Step 601, the application processor erases the application firmware storage area, sends the reading-firmware-information instruction to the security processor, and waits for firmware information returned from the security processor;

Step 602, the security processor decrypts the first cipher in the firmware data cached in the firmware buffer according to a preset public key after the reading-firmware-information instruction is received by the security processor;

Step 603, the security processor returns the firmware information cached in the firmware buffer to the application processor;

Step 604, the application processor stores the firmware information into the application firmware storage area after the firmware information is received, initializes the firmware-updated destination address as a preset address in the application firmware storage area, and obtains the length of firmware data in the firmware information, obtains the length of the second cipher in the firmware data by calculating according to the length of firmware data, and initializes the reading length as the length of the second cipher in the firmware data;

specifically, the preset address in the application firmware storage area may be any address in the application firmware storage area;

preferably, in Step 604, the firmware-updated destination address is initialized as an address, offset of which equals o, in the application firmware storage area;

specifically, obtaining the length of the second cipher in the firmware data by calculating according to the length of firmware data includes: figuring out a difference between a length of firmware and the length of first cipher in the firmware data to obtain a length of the second cipher in the firmware data, in which, the length of the first cipher equals the length of preset public key;

preferably, in Embodiment 2, the length of the preset public key is 256 bytes;

Step 605, the application processor sends the reading-firmware-data instruction to the security processor, and waits for the firmware data returned from the security processor;

Step 606, the security processor reads the preset length of data from the firmware-read address after the reading-firmware-data instruction is received by the security processor, updates the firmware-read address as an address obtained by adding a preset length of offset to the current firmware-read address, and decrypts the read data by using the obtained symmetric key;

Step 607, the security processor returns the data obtained by decrypting to the application processor;

Step 608, the application processor writes received data into the firmware-updated destination address after the data obtained by decrypting which is returned by the security processor is received by the application processor, updates the reading length as a length obtained by subtracting a preset length from the current reading length, and updates the firmware-updated destination address as an address obtained by adding a preset length of offset to the current firmware-updated destination address;

Step 609, the application processor determines whether there exists unread data according to the reading length, if yes, return to Step 605; otherwise, execute Step 610;

in the present Embodiment 2, the application processor determines whether there exists unread data by determining whether the reading length is longer than 0, there exists unread data if the reading length is longer than 0; otherwise, there is not unread data;

Step 610, the application processor sends an instruction that reading firmware is finished to the security processor, and wait for an operation response returned by the security processor;

Step 611, the security processor erases the firmware buffer after the instruction that reading firmware is finished;

Step 612, the security processor returns an operation response to the application processor;

Step 613, the process of updating the application firmware is finished after the operation response returned from the security processor is received by the application processor.

Furthermore, in Embodiment 2, after the instruction is received by the security processor, the process includes: checking whether a format and content of the instruction is correct, and whether the instruction is supported, and check the information authentication code in the instruction; an error code is returned to the application processor if the format or content is not correct, or the instruction is not supported the information authentication code is not authenticated unsuccessfully; for example, 6D 00 is returned to the application processor if the instruction is not supported.

In the method for updating firmware provided by the present invention, the security terminal includes an application processor and a security processor, and the upper computer accesses the security processor only via the application processor, and the firmware which is to be updated is downloaded in the security process via the application processor in a form of cipher, the security of firmware is improved in the process of updating firmware because the security processor takes part in the process of updating application firmware or security firmware, thus, firmware is protect from being intercepted, copied, interpolated or damaged or impersonating.

Embodiments above are only preferable embodiments, all changes and substitutes made by those skilled in the art belong to scope of protection of the present invention. 

1. A method for updating a firmware in a double-chip-schemed security terminal, wherein said method comprises: checking, by a security terminal, firmware information which is cached in a firmware buffer, and determining a type of the firmware to be updated according to the firmware information, updating a security firmware in the case that the firmware is the security firmware, while updating an application firmware in the case that the firmware is the application firmware; in which the security terminal comprises a security processor and an application processor, updating a security firmware comprises: Step A1, erasing, by the security processor, a security firmware storage area, decrypting a first cipher in firmware data cached in the firmware buffer so as to obtain a symmetric key, and initializing a firmware-read address and a firmware-updated destination address; Step A2, reading, by the security processor, a preset length of data from the firmware-read address, decrypting the read data according to the symmetric key so as to obtain decrypted data, writing the decrypted data in the firmware-updated destination address, and updating the firmware-read address and the firmware-updated destination address; and Step A3, determining, by the security processor, whether there exists any unread data, if yes, returning to Step A2; otherwise, ending the updating security firmware; and updating an application firmware comprises: Step B1, erasing, by the application processor, an application firmware storage area, sending a reading-firmware-information instruction to the security processor, and waiting for firmware information returned from the security processor; Step B2, decrypting, by the security processor, the first cipher in the firmware data cached in the firmware buffer so as to obtain a symmetric key after the reading-firmware-information instruction is received by the security processor, initializing the firmware-read address, and returning the firmware information cached in the firmware buffer to the application processor; Step B3, initializing, by the application processor, the firmware-updated destination address after the firmware information is received by the application process, and executing Step B4; Step B4, sending, by the application processor, a reading-firmware-data instruction to the security processor, and waiting for firmware data returned from the security processor; Step B5, reading, by the security processor, a preset length of data from the firmware-read address after the reading-firmware-data instruction is received by the security processor, updating the firmware-read address, decrypting the read data according to the symmetric key, and returning data obtained by decrypting, which is decrypted data, to the application processor; and Step B6, writing, by the application processor, the decrypted data into the firmware-updated destination address after the decrypted data is received by the application processor, updating the firmware-updated destination address; and determining whether there exists any unread data, if yes, returning to Step B4; otherwise, ending the updating application firmware.
 2. The method as claimed in claim 1, wherein the firmware information comprises a firmware update flag; determining a type of firmware to be updated according to the firmware information specifically comprising: determining a type of the firmware update flag in the firmware information, the firmware to be updated is a security firmware in the case that the firmware update flag is a security firmware update flag; while the firmware to be updated is an application firmware in the case that the firmware update flag is an application firmware update flag.
 3. The method as claimed in claim 1, wherein, before the preset length of data is read by the security processor from the firmware-read address, the method further comprises: initializing a reading length; after the preset length of cipher is read by the security processor from the firmware-read address, the method further comprises: updating the reading length; and determining whether there exists any unread data specifically comprises: determining, by the security processor, whether the reading length is a preset value, if yes, there isn't any unread data; otherwise, there exists unread data.
 4. The method as claimed in claim 3, wherein, initializing the reading length specifically comprises: initializing the reading length, so as to make the initialized reading length equal a length of a second cipher in the firmware data cached in the firmware buffer; updating the reading length specifically comprises: updating the reading length as a length obtained by subtracting a preset length from a current value of the reading length; and the preset value specifically is
 0. 5. The method as claimed in claim 1, wherein, initializing the firmware-read address specifically comprises: initializing the firmware-read address as an initial address of the second cipher in the firmware data cached in the firmware buffer; and updating the firmware-read address specifically comprises: updating the firmware-read address as an address obtained by adding the preset length of offset to the current address.
 6. The method as claimed in claim 1, wherein, initializing, by the security processor, the firmware-updated destination address specifically comprises: initializing, by the security processor, the firmware-updated destination address as a preset address in the security firmware storage area; updating, by the security processor, the firmware-updated destination address specifically comprises: updating, by the security processor, the firmware-updated destination address as an address obtained by adding a preset length of offset to the current address.
 7. The method as claimed in claim 1, wherein, initializing, by the application processor, the firmware-updated destination address specifically comprises: initializing, by the application processor, the firmware-updated destination address as a preset address in the application firmware storage area; and updating, by the application processor, the firmware-updated destination address specifically comprises: updating, by the application processor, the firmware-updated destination address as an address obtained by adding the preset length of offset to the current address.
 8. The method as claimed in claim 1, wherein, in Step A3, when the security processor determines that there is no unread data, the step further comprises: erasing the firmware buffer.
 9. The method as claimed in claim 1, wherein, in Step B6, when the application processor determines that there is no unread data, the step further comprises: Step B7, sending, by the application processor, an instruction that reading firmware is finished to the security processor, waiting for an operation response returned from the security process; Step B8, erasing, by the security processor, the firmware buffer after the instruction that reading firmware is finished is received by the security processor, and returning an operation response to the application processor; and updating the application firmware is finished after the operation response returned from the security processor is received by the application processor.
 10. The method as claimed in claim 1, wherein, before the security terminal checks the firmware information cached in the firmware buffer, the method further comprises: downloading a firmware, which comprises: Step C1, sending, by an upper computer, an instruction for starting to download to the security processor via the application processor; Step C2, erasing, by the security processor, the firmware buffer after the instruction for starting to download is received by the security processor, storing a firmware information in the instruction for starting to download into the firmware buffer, and returning a first operation response to the upper computer via the application processor; Step C3, checking, by the upper computer, the first operation response after the first operation response is received by the upper computer, sub-packaging and sending the firmware via the application processor to the security processor in the case that the first operation response is that the operation is successful; while prompting that the information has error in the case that the first operation response includes error information, and terminating a process of downloading firmware; Step C4, writing, by the security processor, firmware data in firmware data package into the firmware buffer after the firmware data packages are received by the security processor, and returning a second operation response to the upper computer via the application processor; Step C5, checking, by the upper computer, the second operation response after the second operation response is received by the upper computer, sending a downloading-finished instruction to the security processor via the application processor in the case that the second operation response is that the operation is successful; while prompting that the information has error in the case that the second operation response includes error information, then terminating the downloading the firmware; Step C6, determining, by the security processor, whether a firmware data package is included in the downloading-finished instruction after the downloading-finished instruction is received by the security processor, if yes, writing the firmware data in the firmware data package into the firmware buffer, and executing Step C7; otherwise, executing Step C7 directly; Step C7, determining, by the security processor, whether the firmware information cached in the firmware buffer is legitimate, if yes, executing Step C8; otherwise, executing Step C10; Step C8, determining, by the security processor, whether the firmware data cached in the firmware buffer is legitimate according to the firmware information cached in the firmware buffer, if yes, executing Step C9; otherwise, executing Step C10; Step C9, decrypting, by the security processor, a first cipher in the firmware data cached in firmware buffer so as to obtain a decrypted result, obtaining a hash value of a second cipher in the decrypted result; performing a hash calculation on a cipher in the firmware data cached in the firmware buffer so as to obtain a hash value of the second cipher, determining whether the hash value of the second cipher obtained from the decrypted result is just the same as the hash value of the second cipher obtained from the hash calculation, if no, erasing the firmware buffer, and executing Step C10; if yes, executing Step C10 directly; Step C10, returning, by the security processor, a third operation response to the upper computer via the application processor; and Step C11, checking, by the upper computer, the third operation response after the third operation response is received by the upper computer, in which the firmware is downloaded successfully in the case that the third operation response is that the operation is successful; while prompting that the information includes error in the case that the third operation response includes error information, the firmware is unsuccessfully downloaded.
 11. The method as claimed in claim 1, wherein, the method further comprises downloading a firmware before the security terminal checks the firmware information cached in the firmware buffer, in which, downloading the firmware comprises: Step D1, sending, by the application processor, a request-for-updating-firmware instruction to a server, and waiting for an instruction for starting to download sent from the server; Step D2, sending, by the server, the corresponding instruction for starting to download via the application processor, to the security processor according to information of firmware type in the request-for-updating-firmware instruction after the request-for-updating-firmware instruction is received by the server; Step D3, erasing, by the security processor, the firmware buffer after the instruction for starting to download is received by the security processor, saving firmware information in the instruction for starting to download into the firmware buffer, and returning the first operation response to the server via the application processor; Step D4, checking, by the server, the first operation response after the first operation response is received by the server, sub-packaging the firmware and sending a sub-packaged firmware to the security processor via the application processor in the case that the first operation response is that the operation is successful; while prompting that the information has error in the case that the first operation response has error information, and terminating the downloading the firmware; Step D5, writing, by the security processor, firmware data in firmware data packages into the firmware buffer after the firmware data packages are received by the security processor, returning a second operation response to the server via the application processor; Step D6, checking, by the server, the second operation response after the second operation response is received by the server, sending a downloading-finished instruction to the security processor via the application processor in the case that the second operation response is that the operation is successful; while prompting that the information has error in the case that the second operation response includes error information, and terminating the downloading the firmware; Step D7, determining, by the security processor, whether a firmware data package is included in the downloading-finished instruction after the downloading-finished instruction is received by the security processor, if yes, writing the firmware data in the firmware data package into the firmware buffer, and executing Step D8; otherwise, executing Step D8 directly; Step D8, determining, by the security processor, whether the firmware information cached in the firmware buffer is legitimate, if yes, executing Step D9; if no, executing Step D11; Step D9, determining, by the security processor, whether the firmware data cached in the firmware buffer is legitimate according to the firmware information cached in the firmware buffer, if yes, executing Step S10; if no, executing Step D11; Step D10, decrypting, by the security processor, a first cipher in the firmware data cached in the firmware buffer so as to obtain a decrypted result, obtaining a hash value of a second cipher from the decrypted result, performing a hash calculation on a second cipher in the firmware data cached in the firmware buffer so as to obtain a hash value of the second cipher, determining whether the hash value of the second cipher obtained from the decrypted result is just the same as the hash value of the second cipher obtained via the hash calculation, if no, erasing the firmware buffer and executing Step D11; if yes, executing Step D11 directly; Step D11, returning, by the security processor, a third operation response to the server via the application processor; and Step D12, checking, by the server, the third operation response after the third operation response is received by the server, in which downloading firmware is successful in the case that the third operation response is that the operation is successful; while prompting that the information has error in the case that the third operation response has error information, and downloading firmware is failed.
 12. The method as claimed in claim 10, wherein, the firmware information includes fixed data; determining, by the security processor, whether the firmware information cached in the firmware buffer is legitimate specifically comprising: determining, by the security processor, the fixed data in the firmware information cached in the firmware buffer is preset data, if yes, determining that the firmware information cached in the firmware buffer is legitimate; otherwise, determining that the firmware information cached in the firmware buffer is illegitimate.
 13. The method as claimed in claim 11, wherein, the firmware information includes fixed data; determining, by the security processor, whether the firmware information cached in the firmware buffer is legitimate specifically comprising: determining, by the security processor, the fixed data in the firmware information cached in the firmware buffer is preset data, if yes, determining that the firmware information cached in the firmware buffer is legitimate; otherwise, determining that the firmware information cached in the firmware buffer is illegitimate.
 14. The method as claimed in claim 10, wherein, the firmware information comprises the length of firmware data; determining, by the security processor, whether the firmware data cached in the firmware buffer is legitimate according to the firmware information cached in the firmware buffer specifically comprising: determining, by the security processor, whether the length of firmware data in the firmware information cached in the firmware buffer is just the same as the length of firmware data cached in the firmware buffer, if yes, determining that the firmware data cached in the firmware buffer is legitimate; otherwise, determining that the firmware data cached in the firmware buffer is not legitimate.
 15. The method as claimed in claim 11, wherein, the firmware information comprises the length of firmware data; determining, by the security processor, whether the firmware data cached in the firmware buffer is legitimate according to the firmware information cached in the firmware buffer specifically comprising: determining, by the security processor, whether the length of firmware data in the firmware information cached in the firmware buffer is just the same as the length of firmware data cached in the firmware buffer, if yes, determining that the firmware data cached in the firmware buffer is legitimate; otherwise, determining that the firmware data cached in the firmware buffer is not legitimate.
 16. The method as claimed in claim 11, wherein, after the security processor erases the security firmware storage area, the method further comprises: copying the firmware information cached in the firmware buffer into the security firmware storage area; after the application processor erases the application firmware storage area, the method further comprises: copying the firmware information cached in the firmware buffer into the application firmware storage area.
 17. The method as claimed in claim 16, wherein, before Step D1, the method further comprises: Step E1, sending, by the application processor, a reading-firmware-version-information instruction to the security processor, and waiting for version information of firmware returned from the security processor; Step E2, obtaining, by the security processor, version information of the security firmware from the security firmware information stored in the security firmware storage area after the reading-firmware-version-information instruction is received by the security processor, obtaining version information of application firmware from the application firmware information stored in the application firmware storage area, and then returning the version information of security firmware and the version information of application firmware to the application processor; Step E3, sending, by the application processor, a reading-latest-firmware-version-information instruction to the server after the version information of security firmware and the version information of application firmware are received by the application processor, and waiting for information of the latest firmware version returned from the server; Step E4, sending, by the server, information of the latest security firmware version and information of the latest application firmware version to the application processor after the reading-latest-firmware-version-information instruction is received by the server; and Step E5, comparing, by the application processor, the information of the latest security firmware version and the information of the latest application firmware version sent from the server with the version information of the security firmware and the version information of the application firmware returned from the security processor respectively, determining whether the firmware need to be updated, if yes, executing Step D1; otherwise, terminating downloading of the firmware.
 18. The method as claimed in claim 11, wherein, sending, by the server, a corresponding instruction for starting to download to the security processor via the application processor according to the information of firmware type in the request-for-updating-firmware instruction specifically comprises: sending, by the server, the instruction for starting to download which includes firmware information of a security firmware update flag and the version information of the security firmware to the security processor via the application processor in the case that the firmware is the security firmware; and sending, by the server, the instruction for starting to download which includes firmware information of an application firmware update flag and the version information of the application firmware to the security processor via the application processor in the case that the firmware is the application firmware. 